InSpec by Chef 3.0 accelerates compliance automation for DevSecOps

Chef released updates to its InSpec by Chef compliance automation platform, including a new plugin architecture, improved ease-of use, improved exception management and automated compliance for Terraform. InSpec 3.0 increases the velocity of compliance audits and remediation, while reducing risk for cross-functional security, development and operations (DevSecOps) teams and their organizations.

“InSpec has helped us break down silos between the application developers, operations and security teams as we migrate to the cloud,” said Ben Peterson, Cloud Architect for Pacific Life.

“It gives everyone confidence that we can automatically deploy and maintain infrastructure-as-code in a transparent, repeatable and secure way. And, due to the human-readable way InSpec code is written, we’ve had success getting buy-in from the non-technical decision makers, which has been crucial in supporting our transformation efforts. We are also excited about the Compliance for Terraform feature, because it will give us static code analysis for security prior to deployment. This is a big deal, because we will catch and prevent deployment of non-compliant infrastructure, which saves costs and enhances security.”

“With InSpec as an integral part of our pipeline, we are able to automatically test for security and compliance throughout the development process,” said Keith Walters, Director of Partner Solutions for TapHere! Technology.

“The detailed visibility into our systems that InSpec provides enables us to drive towards an Automated ATO (Authority to Operate), or approval to push live. This accelerates how we deliver mission capabilities to our citizens and service members while adhering to our security requirements.”

InSpec is an open-source language for describing security and compliance rules that can be shared between software engineers, operations and security engineers. InSpec is designed to be used at all stages of the software delivery process, from developers’ workstations to production, allowing companies to achieve compliance with no performance impact or side-effects. InSpec is designed to be easy-to-use, even by users with no background in programming.

New features in InSpec 3.0 designed to enhance the developer experience include:

New plugin architecture: The InSpec 3.0 plugin architecture makes it easier for developers to extend InSpec for use with a variety of systems in need of compliance automation. Available for both InSpec and Train (Transport Interface Library), the plugin architecture allows for both pluggable communication protocols as well as new resource types in InSpec to be developed.

Improved exception management: Exception management is challenging both in terms of the ability to skip the execution of certain InSpec controls on specific nodes (e.g., those with compensating controls) and the ability to keep track of acceptable failures (i.e., where controls are not skipped but the failures are acceptable). InSpec 3.0 enables both actions, streamlining processes and outcomes to facilitate core audit and remediation capabilities while minimizing confusion.

Workflow-enhancing APIs: InSpec 3.0 allows developers to author new resources — classes of “things” that can be tested on a system or a cloud. This includes the introduction of a new, stable API between profiles — groups of compliance tests similar to Chef Cookbooks — and attributes — the data that enables users to modify how tests are conducted. Improvements to the packaging (vendoring) mechanism for profiles allows developers to iterate on InSpec profiles with dependencies.

“Chef InSpec 3.0’s new plugin model makes it easy for users to define and test application environment security policies,” said Andrew Starr-Bochicchio, Product Manager of Developer Experience at DigitalOcean. “This, coupled with InSpec’s Terraform integration and the DigitalOcean Terraform provider, lets our users design their compliance rules as code and automatically test security compliance each time they update their DigitalOcean infrastructure.”

InSpec 3.0 features designed to improve user experience, especially in mixed environments, include:

Compliance for Terraform: A provisioner plugin for Terraform allows InSpec to be executed during a Terraform run in order to validate the state of virtual machines as well as cloud infrastructure in one seamless operation. InSpec 3.0 also provides InSpec-Iggy (“InSpec Generator”, or I.G.) which allows users to generate compliance controls from a Terraform state file. Both of these features extend compliance into a new domain, allowing provisioning-as-code to be validated for compliance whenever changes are proposed to it.

Compliance for Google Cloud Platform (GCP): Native support for GCP, using InSpec 3.0’s new plugin architecture, further extends InSpec’s cloud compliance capabilities. Premium InSpec content in Chef Automate to support the Center for Internet Security (CIS) benchmarks for GCP helps customers get started to ensure compliance across cloud applications and infrastructure. The CIS has certified Chef as the first compliance automation vendor implementing the CIS GCP Benchmark.

Improved metadata interface on controls: InSpec 3.0 introduces a key-value based description interface, allowing for more reporting as well as de-duplication of controls that satisfy one or more compliance regimes. This allows users to create custom metadata categories, e.g., what compliance regime or regimes a control is for, how to remediate a finding, or how to escalate the finding.

“Establishing and maintaining compliance across heterogeneous environments is a daunting task, made more so by ever-shifting regulatory requirements alongside rapidly-evolving hybrid IT strategies,” said Corey Scobie, SVP of Product and Engineering at Chef.

“InSpec 3.0 further eases the path to compliance for both developers and operations teams, and helps accelerate enterprises’ digital transformations by laying a solid foundation for cloud migration.”


Subscribe to the Help Net Security breaking news e-mail alerts:

More about

Don't miss